This past week, the Office of Civil Rights (OCR), working in partnership with the Department of Health & Human Services (HHS) released a massive omnibus final rule outlining changes to HIPAA. The rule is based on statutory changes under the HITECH Act as well as the Genetic Information Nondiscrimination Act of 2008 (GINA).
HHS secretary Kathleen Sibelius noted as part of the release:
“Much has changed in healthcare since HIPAA was enacted over 15 years ago…The new rule will help protect patient privacy and safeguard patients’ health information in an ever expanding digital age.”
The final rule covers quite a bit of ground and includes changes surrounding issues such as the scope of Business Associates (more below), breach notifications and a variety of issues concerning elements of patient control over their health information. At Patients Know Best we’re particularly interested in that last bit about patient control.
The final rule makes it clear that patients can access an electronic copy of their health record. It states:
Section 13405(e) of the HITECH Act strengthens the Privacy Rule’s right of access with respect to covered entities that use or maintain an electronic health record (EHR) on an individual. Section 13405(e) provides that when a covered entity uses or maintains an EHR with respect to protected health information of an individual, the individual shall have a right to obtain from the covered entity a copy of such information in an electronic format and the individual may direct the covered entity to transmit such copy directly to the individual’s designee, provided that any such choice is clear, conspicuous, and specific. Section 13405(e) also provides that any fee imposed by the covered entity for providing such an electronic copy shall not be greater than the entity’s labor costs in responding to the request for the copy.
As we’ve stated in the past, this is a basic human right. But given the structure of the US healthcare system and the variety of incentives and nature of the EHR vendor landscape, it needs and should be spelled out quite clearly.
Besides access to their record, patient information cannot be sold without a patient’s permission:
“The final rule also requires an individual’s authorization before a covered entity may disclose protected health information in exchange for remuneration (i.e., “sell” protected health information), even if the disclosure is for an otherwise permitted disclosure under the Privacy Rule.”
Most people would reasonably believe that patient data about their own health should belong to them. EHRs are not Facebook or Twitter and unlike those companies’ ultimate business model (“if you’re not the customer, you’re the product”), we should expect our own health data to belong to us, not shareholders. This rule makes that fact clear.
That said, we believe that once you put a patient in control of their data, they should do whatever they want, including sell the data. The rest of the rule covers quite a bit more ground on the topic of patient control, and it’s well worth reading.
Another separate and long overdue change concerns the rule that explicitly labels PHR vendors as Business Associates, and all that designation entails.
The final rule adopts the language that expressly designates as business associates: (1) a Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires routine access to such protected health information; and (2) a person who offers a personal health record to one or more individuals on behalf of a covered entity.
The rule itself includes a bit of subtlety, as follows:
Several commenters sought clarification on when a personal health record vendor would be providing a personal health record “on behalf of” a covered entity and thus, would be a business associate for purposes of the HIPAA Rules. As with data transmission services, determining whether a personal health record vendor is a business associate is a fact specific determination. A personal health record vendor is not a business associate of a covered entity solely by virtue of entering into an interoperability relationship with a covered entity. For example, when a personal health record vendor and a covered entity establish the electronic means for a covered entity’s electronic health record to send protected health information to the personal health record vendor pursuant to the individual’s written authorization, it does not mean that the personal health record vendor is offering the personal health record on behalf of the covered entity, even if there is an agreement between the personal health record vendor and the covered entity governing the exchange of data (such as an agreement specifying the technical specifications for exchanging of data or specifying that such data shall be kept confidential). In contrast, when a covered entity hires a vendor to provide and manage a personal health record service the covered entity wishes to offer its patients or enrollees, and provides the vendor with access to protected health information in order to do so, the personal health record vendor is a business associate.
This is a useful distinction that acknowledges the fact that patient care circles can be quite complex. Requiring Business Associate contracts with every organization from which the PHR receives data would present a huge burden in the pursuit of effectively moving patient data around the system writ large.
HIPAA may not have been explicit about PHRs in the past, which allowed certain PHR vendors to act as though HIPAA did not apply to them. Microsoft HealthVault, one of those vendors, finally came to its senses in 2009. At PKB, we’ve always acted well beyond the privacy constraints of HIPAA and have signed Business Associate agreements with our US clients from the start.
HIPAA does a great deal to protect patient privacy, but it’s only one part of the puzzle. Patients need to be given full and absolute control over their medical records in addition to stringent privacy constraints for the e-health system to become effective, as well as secure.